Early Internet networking protocols were designed to facilitate communication between network devices through an open exchange of data. As more and more network devices were connected to the Internet, the use of network devices for malicious attacks increased. Such malicious attacks include theft of data, Denial of Service (DOS) attacks, the proliferation of computer viruses, and the like. Protocols and firewalls were developed that allowed defining a network security policy that would block malicious network traffic, while continuing to allow other network traffic. However, the increasing complexity of a typical network layer including security policies makes it difficult to diagnose the cause of an incorrectly denied network access attempt.
Various methods have been developed to protect network devices against malicious attacks, usually through implementation of one or more network policies. One network policy is a security policy such as provided for by the Internet Protocol Security (IPSec) suite. The IPSec suite provides protocols such as Encapsulating Security Protocol (ESP), Authentication Header (AH), and Internet Key Exchange and Management (IKE). The ESP protocol, documented in Internet Engineering Task Force (IETF) Request for Comments (RFC) 2406, is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide integrity, source authentication, and confidentiality of data. The AH protocol, documented in IETF RFC 2402, is an authentication protocol that uses a hash signature in the packet header to validate the integrity of the packet data and authenticity of the sender.
The IKE protocol, documented in IETF RFC 2409, provides a method for network devices to negotiate security settings used with the AH and ESP protocols. The negotiated security settings form a data structure called a security association (SA). The SA defines parameters, such as the authentication algorithm, encryption algorithm, cryptographic keys, and the lifetime of keys, used by the ESP or AH protocol to protect the contents of the IP packet. Because the ESP and AH protocols require an established SA, an IKE negotiation is executed before the ESP or AH protocols are used to transmit data.
A network device identifies packets that are subject to IPSec (e.g., IKE, AH, or ESP protocols) processing and the manner that such packets should be processed based on a security policy maintained in a Security Policy Database (SPD). The security policy is a set of rules assigned to the network layer that defines how to apply IPSec. The security policy includes filter lists, authentication methods, and other information. The proper security policy to be applied to a packet is usually determined based upon the packet's source and destination IP address, source and destination port, and protocol type.
Another network policy used to protect against malicious attacks is a firewall policy. The firewall policy is implemented by one or more filters. Each filter includes filter parameters and an associated policy to be applied to packets that match the filter parameters. The filter parameters include information such as hardware addresses (e.g., Media Access Control (MAC) addresses), network addresses (e.g., IP addresses), protocol type (e.g., Transport Control Protocol (TCP)), port numbers, and the like. The firewall policy of a filter identifies how packets with parameters that match the filter parameters should be treated. For example, a filter may indicate that packets with a certain IP address should be dropped. Whenever the network device examines a packet and through that examination identifies a packet destined to that IP address, the network device drops the packet to prevent it from traversing the network.
Network devices also use non-security related policies to control the flow of network traffic. As one example, network devices implement a Quality of Service (QoS) based policy. QoS addresses the fact that transmission rates, error rates, and other characteristics can be measured, improved, and to some extent guaranteed in advance. Packets can be expedited based on policy and reservation criteria. QoS is used, for example, to allocate network bandwidth for improved communications between network devices.
The proliferation of policies for securing a network device has made it difficult to diagnose network incidents. Each of the policy components typically has its own method of logging diagnostic information, and logged information from each component is typically missing information relevant to a complete diagnosis of a particular network incident. Moreover, once the cause of a failure is known, it is typically a significant task to relate the cause back to a particular policy that needs to be modified to prevent the failure.